4. M7, M8, M9,M10
M7 – Client Code Quality : like buffer overflows, format string
vulnerabilities, and various other code-level mistakes
M8 – Code Tampering : covers binary patching, local resource
modification, method hooking and dynamic memory
modification.
M9 – Reverse Engineering : analysis of libraries, algorithms,
and other assets.
M10 – Extraneous Functionality : Hidden backdoor
functionalities , commented code (accidently left by
developer)
5. 7/10 M’s are covered in Static Code
Analysis
Which is >50%
6. Fetching APK
For enterprise / intranet Applications Product Team
Via Online
https://apkpure.com/
http://apps.evozi.com/apk-
downloader/?id=com.vng.g6.a.zombie
https://play.google.com/store/apps/details?id=com
.vng.g6.a.zombie&hl=en
7. Conversion of APK to Source Code
Manual via dex2jar/Apktool
http://stackoverflow.com/questions/12732882/reverse-engineering-from-an-apk-
file-to-a-project
Via Online
http://www.javadecompilers.com/apk
Apk files are nothing but zip files.
Zip files contains resources and assembled java code
But unzip will miss classes.dex and resources.arsc files
11. Installing and Configuring Text Editors
Android Studio (or)
Sublime Text
Why Sublime Text ?
Goto Anything functionality
Search of Key strokes
Quick File Switching
Demo
21. MobSF (Mobile Security Framework)
QARK (Quick Android Review Kit)
ApkTool
& Many more…… both commercial and open source tools
available…
*These are open source tools
31. Android Intents
An intent is a Messaging
Object
which can be used to
request an Action from
an another App
Component.
App Components can be
Activities ; Services ;
Broadcast Receivers ;
Content Providers
2 types of Intents
Explicit
Implicit
32. Some of the uses of Intents are
Start a Service
Launch an Activity
Display a web page
Display List of Contacts
Broadcast a Message and
Many More …………………………….
33. Doubt !!!
Y intents are used Y not APIs ?
API Intent
API calls are Synchronous Intent based calls are
Asynchronous
API calls are compile-time
binding
Intent based calls are run-
time binding
BUT …. Intents can similarly be
used as APIs Explicit
34. Implicit Intents
Implicit intents
are often used
to activate
components in
other
applications.
Doesn’t Specify
the
Component…
35. Common Flaws
Dangerous to send/broadcast sensitive information / data
across implicit intents
Since unprivileged implicit intent can use the same
data
Intercept your data
Malicious Injection at
Broadcast Level
Activity Level
Service Launch
36. Explicit Intents
An explicit intent is most
commonly used when
launching an activity (from
another one) within the
same application.
Specifies the component
38. Next Time
Playing around Intents
Deep-drive in Intent Filters
Malicious Intents
Intent Spoofing and intent traffic analysis
Prevention techniques
Self signing of Android app for reverse engg.